M365 Changelog: (Updated) DMARC aggregate reports for enterprise

MC516348 – Updated March 21, 2023: Microsoft has updated the content below with additional details. Thank you for your patience.

As part of the DMARC (Domain-based Message Authentication Reporting & Conformance) standard, the owner of the domain whose MX is pointed to Office 365 can request DMARC aggregate reports through the RUA of the DMARC record. This will help the domain owner to monitor their domain’s traffic passing through Office 365 and adjust their sender authentication configurations to reach an actionable DMARC policy.

This message is associated with Microsoft 365 Roadmap ID 109535

When this will happen:

Standard Release: Microsoft will begin rolling out mid-March (previously mid-February) and expect to complete by late March.

How this will affect your organization:

Domain owners will receive DMARC reports to RUA email addresses.

What you need to do to prepare:

Office 365 will send out DMARC aggregate reports to all sender domain owners that has a valid RUA address defined in their DMARC record, independent of their platform/configuration. The only exception is if the MX record for the recipient domain does not directly points to Office 365. In this case Office 365 will not send DMARC reports to the sender domain owner RUA address. 

For example, you have mailboxes with the recipient domain contoso.com, which domain has it’s MX record pointed directly to Office 365. (contoso-com.mail.protection.outlook.com). In this scenario Office 365 will automatically send DMARC aggregate reports to all email sender domain owners which has a valid RUA address defined in their domain DMARC record. 

If contoso.com MX record pointed to a different email security solution in front of Office 365, Office 365 will not send DMARC aggregate reports to any sender domains RUA address configured in their DMARC record as the information Microsoft sees about the sending infrastructure is likely to have been affected by the complex mail flow routing.

You can learn more about DMARC here